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EFFICIENT IDENTIFICATION AND SIGNATURES 
FOR SMART CARDS 5 



CP. Sehnorr 
Universit&t Frankfurt 

1. Introduction 

We present an efficient interactive identification scheme and a related 
signature scheme that are based on discrete logarithms and which are 
particularly suited for smart cards. Previous cryptoschemes, based on the discrete 
logarithm, have been proposed by El Gamal (1985). Chaum. Evertse, Graaf 
(1988), Beth (1988) and Gamer (1989). The new scheme comprises the following 
novel features. < 

(1) We propose an efficient algorithm to preprocess the exponentiation of 
random numbers. This preprocessing makes signature generation very fast. It also 
improves the efficiency of the other discrete log-cryptosystems. The 
preprocessing algorithm is based on two fundamental principles local 
randomization and internal randomization. 

(2) We use a prime modulus p such that p-1 has a prime factor q of appropriate 
size (e.g. 140 bits long) and we use a base a for the discrete logarithm such that 
a" - 1 (mod p). All logarithms are calculated modulo q. The length of signatures 
is about 212 bits, i.e. it is less than half the length of RSA and Fiat-Shamir 
signatures. The number of communication bits of the identification scheme is 
less than half that of other schemes. 

The new scheme minimizes the work to be done by the smart card for 
generating a signature or for proving its identity. This is important since the 
power of current processors for smart cards is rather limited. Previous signature 
schemes require many modular multiplications for signature generation. In the 
new scheme signature generation costs about 12 modular multiplications, and 
these multiplications do not depend on the message/identification, i.e. they can 
be done in preprocessing mode during the idle time of the processor. 

The security of the scheme relies on the one-way property of the 
exponentiation y — o T (mod p), i.e. we assume that discrete logarithms with 
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base a are difficult to compute. The security of the preprocessing is established 
by information theoretic arguments. 

This abstract is organised as follows. We present in section 2 a version of the 
signature scheme that uses exponentiation of a random integer. In section 3 we 
propose an efficient algorithm that simulates this exponentiation. We study its 
security in section 4. The performance of the scheme is exemplified in section 5. 



2. The identification and signature scheme 

Notation. For n € N let 2Z n be the ring of integers modulo n. We identify 25 n 
with the set of integers {l,...,n}. 

Initiation of the key authentication center (KAC). The KAC chooses 

primes p and q such that q | p-1, q > 2 U0 , p > 2 612 , 

q € Z p with order q, i.e. a* » 1 (mod p), a ^ 1 / 

a one-way hash function h : Z q x 7L — ► {O,...^*-!} ,- -. 
its own private and public key. 
The KAC publishes p,q,cr,h and its public key, 

COMMENTS. The KACs own keys are used for signing the public keys issued 
by the KAC. The KAC can use for its own signatures any public key signature 
scheme, e.g. RSA, Fiat-Shamir, Rabin or the new scheme presented here. The 
hash function h is only used for signatures and is not needed for identification. 

The function h outputs random numbers in {0,... t 2Vl}; for the choice of the 
function h see the end of section 2. The security number t can depend on the 
application intended, we consider t - 72. The scheme is designed such that 

forging a signature or an identification requires, with t « 72, about 2 steps. 

Registration of users. When a user comes to the KAC for registration the KAC 
verifies its identity, generates an identification string I (containing name, 
address, ID-number etc.) and signs the pair (I,v) consisting of I and the user's 
public key v. The user can generate himself his private key s and the 
corresponding public key v. 

The user's private and public key. Every user has a private key s which is a 
random number in {1,2, ...,q). The corresponding public key v is the number v » 

a"* (mod p). 

Once the private key s has been chosen one can easily compute the 
corresponding public key v. The inverse process, to compute s from v % requires 

to compute the discrete logarithm with base a of v" 1 , i.e. s « -log„ v . 
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The following protocol is related to protocol 1 in Chaum, Evertse, Graaf (1988); 
it condenses this protocol to a single round. 

The identification protocol 

(Prover A proves its identity to verifier B) 

1. Initiation, A sends to B its identification string I and its public key v. B 
checks v by verifying KACs signature transmitted by A. . , . 

2. Preprocessing. A picks a random number r € {1,.~,q-1), computes x a r (mod 
p), and sends x to B (see section 3 for an efficient simulation of this 
exponentiation).. 

3. B sends a random number e £ {O,...,!*-!} to A. 

4. A sends to B y r + se (mod q) . 

5. Identification test. B checks that x « a 7 v* (mod p) and accepts A's proof of 
identity iff equality holds. 

Obviously if A and B follow the protocol then B always accepts A's proof of 
identity. We next consider the possibilities of cheating for A and B. We call 
(x t y) the proof and e the exam of the identification. The proof (x,y) (the exam 
e, resp.) is called straight if A (B, resp.) has followed the protocol, otherwise the 
proof (exam, resp.) is called crooked. 

A fraudulent A can cheat by guessing the correct e and sending the crooked 
proof 

x a* v* (mod p), y r . 

The probability of success for this attack is 2~*. By the following proposition 
this success rate cannot be increased unless computing log a v is easy. 

Proposition 2.1 Suppose there is a probabilistic algorithm AL with time bound 
\AL\ which takes for input a public key v and withstands, with probability e > 

2~ M , the identification test for a straight exam. Then the discrete logarithm of v 
can be computed in time 0(|AL|/£) and constant, positive probability. 

Proof. This is similar to Theorem 5 in Feige, Fiat, Shamir (1987). The following 
algorithm AL* computes log a v. 

1. Repeat the following steps at most 1/e times: generate x the same way as does 

algorithm AL, pick a random e- in (0 g .,.,2 t -l) and check whether AL passes 
the identification test for (x,e'); if AL succeeds then fix x and go to 2. 

2. Probe \ft random numbers e" in {0,....2*-l} . If algorithm AL passes the 
identification test for some e" that is distinct from e' then go to 3 and 
otherwise stop. 

3. Choose the numbers y\ y" which AL submits to the identification test in 

response to e\ e". (y'-y* is the discrete logarithm of v (mod p).) 

4. Output (y-y*)/(e w -e') (mod q) . 
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We bound from below the success probability of this algorithm. The 
algorithm finds in step 1 a passing pair (x,e f ) with probability at least y. With 
probability at least y f the x chosen in step 1, has the property that AL 
withstands the identification test for at least a j e-fraction of all e <= 
{0,...y2 k -l}. For such an x step 2 finds a passing number e* that is distinct from e* 
with probability at least 

1 . (l-£/2) ,A > 1 - 2.T U * > 0.3 . 
This shows that the success probability of the algorithm is at least 0.3/4. 

a 

The verifier B is free to choose the bit string e in step 3 of the 
identification protocol, thus he can try to choose e in order to obtain useful 
information from A. The informal (but non rigorous) reason that A reveals no 
information is that the numbers x and y are random. The random number x 
reveals no information. Furthermore it is unlikely that the number y reveals any 
useful information because y is superposed by the discrete logarithm of x, y - 
log a x + e • s (mod q) , and the cryptanalyst cannot infer r - iogoX from x. The 
scheme is not zero-knowledge because the tripel (x.y.e) may be a particular 
solution of the equation x - a y v # (mod p) due to the fact that the choice of e 
may depend on x. 

Minimizing the number of communication bits. We can reduce the number of 
communication bits for identification. For this A sends in step 2 h(x) (instead 
of x) and B computes in step 5 T a y v* (mod p) and checks that h(x) - h(v)- 
It is not necessary that h is a one-way function because x - a r (mod p) is 
already the result of a one-way function. We can take for h(x) the t least 
significant bits of x. The total number of communication bits for h(x),e,y is 2t 
+ 140 which is less than half that of other schemes. The transmission of e is not 
necessary, e can be fixed to h(x). Then the pair (y t h(x)) is a signature of the 
empty message with respect to the following signature scheme. 

Protocol for signature generation. 

To sign message m using the private key s perform the following steps: 

1. Preprocessing (see section 3). Pick a random number r e (l,....q) and 

compute x :» c/(mod p). 

2. Compute e :« h(x,m) e {O,...^*-!}. 

3. Compute y :« r ♦ se (mod q) and output the signature (e,y). 



Protocol for signature rerlf Ication. 

To verify the signature (e.y) for message m and public key 
compute r - cr r v* (mod p) and check that e - h(T,m) (signature test). 
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A signature (e.y) is considered to be valid if it withstands the signature test. 
A signature generated according to the protocol is always valid since 

x - at - a v ~ a v (mod p) . 
With t - 72 and q « 2 140 the signature (e.y) is 212 bits long. 

Efficiency. The work for signature generation consists mainly of the 
preprocessing (see section 3) and the computation of se(mod q) where the 
numbers s and e are about 140 and t - 72 bits long. The latter multiplication is 
negligible compared with a modular multiplication in the RSA-scheme. 

Signature verification consists mainly of the computation of x" - ct y v* 
(mod p) which can be done on the average using 1.5 / + 0.25 t multiplications 
modulo p where / - pog,q"] is the bit length of q. For this let y and e have 
the binary representations 

M \ /-i 
y " yil • c " £ e * 2 with e * Ci - 0 for i > t . 

We compute av in advance and we obtain i~ as follows 

1. i :« / , z> 1 , 

2. while i > 0 do [i :« i-1, z z * a Yi v* 1 (mod p)] , 

3. x z . 

/ 

This computation requires at most / + t - 1 + £ yi modular multiplications. If 

half of the bits y s with i > t are zero, and e s > y t - 0 holds for one fourth of 
the i < t t then there are at most 1.5 / + 0.25 t modular multiplications. 

Comparison with ElGamal signatures. An ElGamal signature (y.x) for the 
message m and keys v,s with v « a" (mod p) satisfies the equation a m - vV 
(mod p) and can be generated from a random number r by setting x a* (mod 
p) and by computing y from the equation 

ry - sx - m (mod p-1) (i) 
We replace in equation (1) x by the hash value e « h(x,m) . Then we can 
dispense with the right side m in equation (1) which we make zero. We further 
simplify (1) in that we replace the product ry by y-r and p-1 by q. This 
transforms (1) into the new equation y - r + es (mod q) . The new signatures 
are much shorter. 

The choice of the prime q. The prime q must be at least 140 bits long in order to 
sustain a security level of 2 7 * steps. This is because log^x) <= {l,...,q} can be 
found in 0(Vq) steps by the baby step giant step method. In order to compute 
u,v < (Vcf] such that log Q (x) - u + f >/o?] v we enumerate the sets S, - 
(a u (mod p) j 0 s u < fVq 1 ] ) and S a - (x a~ rV ^ v (mod p) | 0 < v < \~VqT\ } 
and we search for a common element a u - xa"^ T (mod p) . 



Copyright (c) 1998, Springer-Verlag 



244 



The choice of the hash function h. We distinguish two types of attacks: 

a) Given a message m find a signature for m, 

b) chosen message attack. Sign an unsigned message by using signatures of 
messages of your choice. 

In order to thwart the attack a) the function h(x^m) must be almost uniform 
with respect to x in the following sense. For every message m, every e e 

{0,...,2 -1} and random x e Z p the probability probx(h(x t m) - ej ; must be near 
to 2~\ Otherwise* in case that for fixed m ( e the event h(x,m) » e has 
nonnegligible probability with respect to random x, the cryptanalyst can 

compute x" a y r* (mod p) for arbitrary y-values until the equality e - 
h(x t m) holds. The equality yields a signature (y,e) for message m. If h(x,m) is 
uniformly distributed with respect to random x then this attack requires about 

2 steps. 

In order to thwart the chosen message attack the function h(x,m) must be 
one-way in the argument m. Otherwise the cryptanalyst can choose y,e 

arbitrarily, he computes x~ a y v" (mod p) and solves e = h(x~,m) for m. 
Then he has found a signature for an arbitrary message m. 

It is not necessary that the function h(x,m) is collision-free with respect to 
m. Suppose the cryptanalyst finds messages m and m* such that h(x,m) - h(x,m*) 

for some x - <x y (mod p) . If he asks for a signature for m' then this signature is 
based on a new random number x* and cannot simply be used to sign m. The 
equality h(x,m) * h(x.m') only helps to sign m if a signature (y,e) for m* is 
given such that x - a y v" (mod p) . But if h(x t m) is one-way in m then it is 
difficult to solve h(x,m) - h(x.m f ) for given x,m'. 

3. Preprocessing the random number exponentiation 

We describe an efficient method for preprocessing the random numbers r 
and x :« ce r (mod p), that are used for signature generation. This preprocessing 
mode also applies to other discrete log-cry ptosystems such as the schemes by 
EIGamal (1985). Beth (1988) and Gunter (1989). 

The smart card stores a collection of k independent random pairs (n.Xi) for 

i-l....,k such that Xj « a* 1 (mod p) where the numbers r% are independent 
random numbers in (l,... % q). Initially these pairs can be generated by the KAC. 
For every signature/identification the card uses a random combination (r,x) of 
these pairs and subsequently rejuvenates the collection of pairs by combining 
randomly selected pairs. We use a random combination (r,x) in order to release 
minimum information on the pairs (r^Xj) i = l,..;Jc . For each signature 
generation we randomize the pairs (n,Xi) so that no useful information can be 
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collected on the long run. We give an example of a preprocessing algorithm that 
demonstrates the method. It uses a security parameter d, for all practical 
purposes d and k can be fairly small integers, for this paper we assume that 6 < 
d,k . 

Preprocessing algorithm 

Initiation Load r if xi for i«l k t 1/4- 1 (1/ is the round number), v- - 

1. Pick random numbers a(0),...,a(d-3) e {l,...,k), a(d-2) :* a(d) :- (mod k), 
a(d-l) :m v . 

■ d i d t 

2 - r » : - E r »0) 2 < mod °-> . : - n xiro < mod p) . 

1=0 i=o w 

(Below we give a detailed algorithm for this computation.) 

3. Keep for the next signature/identification the pair r, x with 

r rj w + 2-r,,., (mod q), x x' w . xj.j (mod p). 

4. »/ ;« (mod k) , go to 1 for the next round. 

REMARKS. 1. By the choice of a(d-l) the preprocessing preserves the uniform 
distribution on (rj,,..,r k ). 

2. The setting a(d) :« (mod k) has the effect that step 2 shifts the binary 
representation of rv-i for d positions to the left and subsequently adds it to r„. 
Theorem 4.2 relies on the choice of a(d-l). Lemma 4.3 relies on the choice a(d), 
and Theorem 4.4 relies on the choice of a(d-2), a(d-l) and a(d). 

3. The preprocessing algorithm must not be public. Each smart card can have its 
own secret algorithm for preprocessing. There are many variations of the above 
technique. It is possible to take for (r %Cl)i x ari) ) with 0 < i < d-2 the key pair 
(-s.v). 

We describe step 2 of the preprocessing algorithm in detail. Step 2 can be done 
using only 2d multiplications modulo p, d additions modulo q and d shifts. 

Step 2 of the preprocessing algorithm. 

1. u :» r a ( d ) , z :- x m ( d ) i d-1 . 

2. while i > 0 do [u 2u + r m(f) (mod q) , z :- z* x a(5) (mod p) , 

if i - d-1 then (r u, x :« z) , i :- i-1] . 

3. r v :* u 1 $ x u :» z . 



4. Cryptanalysls of preprocessing 

The preprocessing algorithm combines two. fundamental principles local 
randomization and internal randomization. The pairs (r,x) that are used for 
signatures are locally random in the sense that every k consecutive pairs are 
independent, see Theorem 4.2. The random indices a(0),...,a(d-3) perform an 
internal randomization. The principles of local and of internal randomization 
are complementary and can also be used for the construction of pseudo-random 
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number generators and hash functions. 

Notations. We denote the number a(i) of round v as a(i»v). Let T„ be the k*k 
integer matrix that describes the transformation of the numbers ri,...,r k in 
round v of the preprocessing algorithm, i.e. step 2 of round v performs r :» T v 
r T (mod q) where r - (ri_.,r k ) . For j > 0 let rj be the number r after j 
rounds. The sequence of r-values that is used for signatures is ri\r a *..*» r j • 

Lemma 4.1 // the initial vector (r lt ...,r k ) is uniformly distributed over {l t .«,q} k 
then this distribution is preserved throughout the preprocessing provided that 2 < 



Proof. T„ is the identity matrix except for row i/. Row v is determined by the 
transformation of r K in step 2: 

r„ :« r„ (det T„) + £ r^j 2 1 (mod q) 

where det T„ - £ 2 l . It follows from a(d-l,i/) « u and a(d,i/) + u that 

det T„ is a nonzero integer and thus 1 ^ det T„ < 2 d < q . We see that T„ is 
invertible modulo q. Therefore T v preserves the uniform distribution on 

(l,....q) k . * □ 

A similar argument proves the next theorem. 

Theorem 4.2 // the initial vector (r lt ...,r k ) is uniformly distributed over (l,...,q} k 
then for all j > 0 and for all numbers a(i,»/) , 0 < i < d-3 , v < k+j the vector 
(rl+j,...,rj +j ) is. for sufficiently large q. uniformly distributed over {l,...,q} k . 

It is an open problem whether the vector (ri r .~,r* k ) is uniformly 
distributed for all indices 1 < i t < i 2 - < i k . We believe that this holds for all 
but a negligible fraction of the instances for a(i,i/) t 1 < v < i k . 

Because of Theorem 4.2 the cryptanalyst can only attack a sequence of more 
than k consecutive signatures/identifications. The set of the first k+1 signatures 
can be attacked by guessing the numbers a(0),...,a(d-3) of the first k rounds. 
Given these numbers and the first k+1 signatures the cryptanalyst can determine 
the secret key s and the initial numbers r lt ...,r k by solving a system of k+1 
linear equations modulo q. This attack requires, an exhaustive search over k'** 1 k 
cases. 



be the number r v after v rounds of preprocessing. If q and the 
numbers a(0),...,a(d-3) for u rounds are fixed then the number rj* w is a 
function of the initial numbers ri,...,r k which is linear over Z q . 
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Lemma 4.3 Pair wise distinct instances for the numbers a(0),...,a(d-3) of u 
rounds generate, for sufficiently large q, pairwise distinct linear functions r" W « 
r£* w (rx t ...,r k ) depending on the initial numbers rj,...,r k and q. 

Proof. Let Sj, :« T K T^.j — T x be the product matrix that describes the 
transformation on r for the first v rounds of preprocessing. This is an integer 
matrix that does not depend on q. The dominant row (i.e. the row with the 
maximal entry) of S v is the row i/(mod k), call this row vector s„. We show how 
to decipher all numbers a(i) of the first v rounds from s v . To simplify the 
argument let a(i,l) for i-O t ...,d be pairwise distinct. Then the j-largest entry of 
t y is in column a(d-j+l t l) for j-0,... t d. (In general we can determine from the 
relative size of the largest entries of s„ which of the numbers a(i f l) coincide.) 
This clearly holds for u - 1 and the induction step from u - 1 to u follows 
from a(d,p) - v-\ (mod k). This shows how to obtain from s„ the matrix Tj. 

Given the matrix T x we form the vector i„ Tj 1 which is the dominant row of 
the matrix T„ T„.j — T a that corresponds to i/-l rounds starting with round 
number 2. Thus we can decipher in the same way the numbers a(i,2) for i-l,...,d 

and the matrix T 2 from % v T\ . Recursively we obtain from s v all numbers a(i) 
of the first u rounds. Now the claim follows from the equation 

r£* w - s„ r T (mod q) 
where r - (ri,.„,r k ) is the initial r-vector. □ 

For random input (r 1# ... t r k ) € (Z<,) k two distinct linear functions over Z<, 
give the same output with probability 1/q. Therefore if the number of choices 

for a(0),^a(d-3) over u rounds is about q then the number r°* w is completely 

randomised by the numbers a(0h...,a(d-3) of v rounds, and thus r* #w is 
quasi-independent of r lt ...,r k . 

Let a be the vector a - (a(i t i/) | i«0,...,d-3, i/-l,... t k) . The number r k+ i is 
determined by rj....,r k , q and a. We know from Theorem 4.2 that the linear 

transformation (r lf ...,r k ) (r lt ....r fc ) is invertible modulo q. Therefore we have 

a function r k+J - r k +i(rt....,r k# q,a) that is linear in rj,...»r k over Z q . By the 
next theorem distinct instances of a yield, for sufficiently large q, distinct 
functions r k+ t in ri, M .,r K . 

Theorem 4.4 Pairwise distinct instances for the numbers a(0),...,a(d-3) of the 
first k rounds generate, for sufficiently large q t pairwise distinct linear functions 
r k+i depending on r lt ...,rj . 

Proof* We show that distinct vectors a generate, for sufficiently large q, distinct 
linear functions r k +i(ri,...,r k ,Q,a) where the inputs are the initial numbers 
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Ti,... f r k . Let $k+i be the coefficient vector of the linear function 

r k +i(r l ,...,r k ,q,a). i.e. r k+ i (r,,...,r k ,q T i) - s£ +1 r T (mod q) with r - (r, r k ) . By 

the method in the proof of Lemma 4.3 we can decipher from sj+i all numbers 
a(i) of the first k rounds. 

Now the claim follows from the choice a(d-2,t/) - (mod k) . It follows 
by an argument that is similar but more involved than the one foV the proof of 
Lemma 4.3. D 

The fastest attack to the preprocessing algorithm that we are aware of 

enumerates the linear functions r k+1 (rl r k ,q.a) that have high probability; 

the probability space is the set of all vectors a. For the security level 2 it is 
necessary that the maximal probability for these linear functions is not much 

larger than 2~ 72 . In order to break the preprocessing it is sufficient to guess two 

*** • • • ~ 

functions r k+1 (rj,...,r kt q,a) and r k+2 (r 2 ,...,r k+1 ,q,a) . Given these two functions 

we can uncover the secret key s from the first k+2 signatures by solving a 
system of linear equations. 

We finally consider attacks on arbitrarily many signatures from a different 
point of view. The problem to recover the secret key s and the initial numbers 
fi,...»r k when the first n signatures are given, can be put into the following 
form. 

Given integers yi,...,y n € {l,...,q} and e lt ...,e n e 7L 

Find integers s,ri,.„,r k e (l,...,q) such that there exist integers ty, 0 < tij < 
2 l(d * 1 \ satisfying yi = e iS + £ t u rj (mod q) i-1 n . (4.1) 

The searched integers tjj are from the linear transformation (ri,...,r k ) 
(rl,...,rn) , hence 0 < t SJ < 2 l(d+1) . If k (d ~ 2)k > q the equation (4.1) is, for 
almost all yi,ei;..-y n »e n ,s,r 1 ,„.,r k , solvable for ty such that 0 < tij < 2 ,(d+1 * . 
This makes this attack useless. However if k and d are small the solvability of 

equation (4.1) with 0 < tij < 2 , * d+1) may characterize the searched numbers 
r 1# ...,r k . It is interesting to determine the complexity of finding ri,...,r k such 
that (4.1) is solvable with "small" integers tij. It seems that this problem is more 
difficult than the knapsack problem since in our case all knapsack items s and 
ri»— » r k are unknown. 

Conclusion. There is a trade-off between the parameters k and d. It is 
sufficient to have q > 2 140 , k » S and d - 6 , then k (d ~* )k = 2 96 . It is 
possible to further reduce k and d but we must have k* d " 2 * k > 2** . 
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5. The performance of the signature scheme 
We wish to achieve a security level of 2 72 operations, i.e. the best known 

77 

method for forging a signatures/identification should require at least 2 steps. 

In order to obtain the security level 2 72 we choose q > 2 140 and t - 72 . We 
choose for the preprocessing algorithm, the parameters k - 8, and d - 6. For 
the new scheme the number of multiplication steps and the length of signatures 
are" independent of the bit length of p. Only the length of the public key 
depends on p. For this we assume that p is 512 bits long. We compare the 
performance of the new scheme to the Fiat-Shamir scheme (k«8, t»9) the 
RSA-scheme and the OQ-scheme of Guillou and Quisquater. 



# of multiplications 

signature generation 
(without preprocessing) 

preprocessing 

signature verification 



new scheme 
t=72 



12* 



Fiat-Shamir 
k«8 , t«9 

45* 



228* 45* 

*) can be reduced by optimisation 



RSA 
750* 
0 

> 2 



GQ 
216* 
0 

108* 



Fast algorithms for signature verification exist for the RSA-scheme with small 
exponent and for the Mica li -Shamir variant of the Fiat-Shamir scheme. The 
new scheme is most efficient for signature generation. 



# bytes for the new scheme 

system parameters p,q 
a 

public key v 
private key s 
signature (e,y) 
preprocessing (r it xi) 



i«l,...,8 (6, resp.) 



82.5 (26, resp. see below) 

64 

64 

18.5 

26.5 

660 (495, resp. see below) 



We can choose particular primes q and p such that 

|q-2"°U 2 40 . |P-2"Ys 2 W ° - 
The particular form simplifies the arithmetic modulo q and modulo p, and 
requires only 26 bytes to store p and q. We are not aware of any disadvantage of 
this particular form for p and q. In total about 800 (635, resp.) bytes EEPROM 
are sufficient to store p,q,v,e,y and (r^xi) for i«1 v ._ v 8 (6, resp.), a is not needed 
for signature generation. About 192 bytes RAM are necessary to perform 
modular multiplications with a 512 bit modulus p. The program for signature 
generation requires less than 500 bytes ROM. 
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Optimization. We give a variant of the preprocessing algorithm that uses only 
k-6 pairs (r lf x») and which require on the average 12.76 modular multiplications 
per round. First let k-6 and let (r 7 ,x 7 ) be the pair (-s,v). 

Optimized preprocessing 

1. r :« r K _! + r„ (mod q) , x :- x^-i • x„ (mod p) , 

keep the pair r, x for the next signature/identification, , ; > 

u :« r + r„_j (mod q) , z :« x - x„-i (mod p) 

2. for j - 1,~.,4 do 

[pick with probability 7-3/29, 7/29, 1/29 resp. 
2,1,0 resp. distinct random numbers a e {!,... ,7} . 

u 2u + V r t (mod q) , z := z Yl *» ( mod P)l- 

3. r„ u, x K z, v i/+l (mod 7), go to 1 for the next round. 

The number of possible transformations per round is about [7-3 + 7 + 1J - 
29 4 . The number of possible transformations over 6 rounds is about 29 « 2 
which is sufficiently large to perform an internal randomization. The average 
number of modular multiplications is 6 + 4(2-7-3 + 7) / 29 « 12.76 . 

We can further reduce either the number of pairs (t l% xd or the number of 
modular multiplications by inserting write operations into step 2 of the 
preprocessing. We can at the end of the inner loop of step 2 decide, based on a 
coin flip, whether to replace some pair (r a ,x m ) by (u,z). This will increase the 
number of possible transformations per round. However this variant will only be 
practical if write operations are sufficiently fast. 

Acknowledgement I wish to thank J. Hastad for his criticism of the previous 
version of the preprocessing algrithm. 
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